Need help with client isolation in unleashed mode

  • 1
  • Question
  • Updated 4 weeks ago
In searching the forums for this particular issue I found many posts but the only one that seemed to describe my problem was this one.  

So I faithfully followed the steps suggested by Jo Vens, but other devices on the network are still visible, even if they are unreachable when pinged. 

Specifically the steps followed were:
1. Created whitelist - added router LAN port mac address and LAN gateway IP
2. Created L3 ACL list - allow DNS, DHCP, HTTP & HTTPS
3. In WLAN Advanced options:
    - on the Access Control tab select L3 ACL list previously created
    - on the Others tab, select both Isolation check boxes and select the whitelist previously created

Saved and re-started the access points.

As stated, I am able to get to the internet, and all but, other devices are still visible to applications like Fing on iOS. 

I would've thought that the steps above would essentially give each device a pipe only to the internet, with nothing else on the network visible. 

What am I missing? 
Photo of hitesh patel

hitesh patel

  • 6 Posts
  • 0 Reply Likes

Posted 2 months ago

  • 1
Photo of hitesh patel

hitesh patel

  • 6 Posts
  • 0 Reply Likes
After playing around with this a bit more, it seems that: 

enabling guest mode, here


disables the L3 ACL list selection here:


which in turn means that total isolation of clients is not possible (in guest mode)?


What am I missing?
Photo of Paul Van der Cruyssen

Paul Van der Cruyssen

  • 51 Posts
  • 7 Reply Likes
enable all isolation boxes, and create a WhiteList allowing access DNS, DHCP and Default Gateway, just check what a 'normal' client/device gets via DHCP, that should do the job, so just a Whitelist, no other ACL's
Photo of hitesh patel

hitesh patel

  • 6 Posts
  • 0 Reply Likes
Thanks for your reply!

What you suggested is actually what I had done first. Since my router provides the DHCP and DNS service to clients on the wifi network, I created a whitelist with the LAN IP address of the router and the mac address of the LAN port on the router. 

No ACL list was in effect. 

With both isolation check boxes selected, clients were able to get an IP address, and could not see any other devices on the network, but also could not get to the internet.

With just the first isolation checkbox selected, clients were able to get to the internet, but other devices on the AP were visible, though not reachable, at least when pinged. 
==========================

With the method (using the L3 ACL)  given by Jo Vens, clients are able to get to the internet even with both isolation checkboxes selected.  However, other devices/clients on the network are still visible. Also this method does not work when Usage Type is set to "Guest Access".
===========================

Thanks. 

HP.

    
Photo of hitesh patel

hitesh patel

  • 6 Posts
  • 0 Reply Likes
After looking through virtually every post on this forum that has anything to do with client isolation, I've still been unsuccessful in getting it working. 

My goal is for clients connected to the WLAN in Guest Access mode are able to get to the internet and just that. No other clients or devices on the same VLAN/Subnet are reachable or even visible. 

I'm still hoping that someone has cracked this nut and can share their experience and give me some pointers to what I'm missing. 

Or at the very least, Ruckus can acknowledge that total client isolation is not possible when a WLAN is in Guest Access mode, and update their documentation accordingly.